###
# 
# Check routines
# return PASS - passed
# return DROP - call _drop()
# return BAN - call _ban()
# return DENY - call _deny()
#
# $user_agent = user-agent
# $uri = request_uri
# $combi = unescape( request_uri . remote_addr . host . referer . user_agent . x-forwarded-for )

use constant {
	PASS	=> 0,
	DROP	=> 1,
	BAN	=> 2,
	DENY	=> 3,
};

sub _post_rules {
	my $r = shift;
	my $b = $r->unescape($r->request_body);
	$b =~ s/[\n\r\t]//g;
	return BAN  if($b =~ /union.*select/i);
	return DROP if($b =~ /information_schema/i);
	return DROP if($b =~ /group_concat/i);
	return DROP if($b =~ /or 1=1/i);
	return DROP if($b =~ /and 0=1/i);
	return DROP if($b =~ /and 1=0/i);
	return PASS;
}
sub _sql_injection {
	my $r = shift;
	return BAN  if($combi =~ /union.*select/i);
	return BAN  if($combi =~ /information_schema/i);
	return BAN  if($combi =~ /group_concat/i);
	return DROP if($combi =~ /or 1=1/i);
	return DROP if($combi =~ /and 0=1/i);
	return DROP if($combi =~ /and 1=0/i);
	return PASS;
}
sub _sys_path {
	my $r = shift;
	return BAN  if($combi =~ /\/etc\/passwd/);
	return DROP if($combi =~ /\.\.\/\.\./);
	return BAN  if($combi =~ /\.\.\/\.\.\/\.\.\/\.\./);
	return BAN  if($combi =~ /\.\.\\\.\.\\\.\.\\\.\./);
	return PASS;
}
sub _user_agent {
	my $r = shift;
	return BAN  if($user_agent =~ /gootkit/i);
	return BAN  if($user_agent =~ /WinHttpRequest/i);
	return BAN  if($user_agent =~ /XSpider/i);
	return BAN  if($user_agent =~ /WebXakepBot/i);
	return BAN  if($user_agent =~ /XRumer/i);
	return BAN  if($user_agent =~ /xpymep/i);
	return BAN  if($user_agent =~ /NOSEC.JSky/i);
	return BAN  if($user_agent =~ /Brutus/i);
	return DROP if($user_agent =~ /Indy Library/i);
	return BAN  if($user_agent =~ /LoadImpactMyload/i);
	return BAN  if($user_agent =~ /CMS Detector/i);
	return BAN  if($user_agent =~ /Nessus/i);
	return BAN  if($user_agent =~ /SQL Power Injector/i);
	return BAN  if($user_agent =~ /Security tool/i);
	return BAN  if($user_agent =~ /Netsparker/i);
	return DROP if($user_agent =~ /libwww-perl/i);
	return BAN  if($user_agent =~ /Havij/i);
	return BAN  if($user_agent =~ /DTS Agent/i);
	return BAN  if($user_agent =~ /DataCha0s/i);
	return BAN  if($user_agent =~ /Anonymouse\.org/i);
	return BAN  if($user_agent =~ /AutoIt/i);
	return PASS;
}
sub _xss {
	my $r = shift;
	return BAN  if($combi =~ /alert\(/i);
	return BAN  if($combi =~ /script>/i);
	return BAN  if($combi =~ /<scrip/i);
	return DROP if($uri =~ /src=/i);
	return PASS;
}
sub _scanner {
	my $r = shift;
	return BAN  if($uri eq "/INSTALL.mysql.txt");
	return BAN  if($uri eq "/INSTALL.pgsql.txt");
	return BAN  if($uri =~ /\/database\.yml/i);
	return BAN  if($uri =~ /\/jmx-console/i);
	return BAN  if($uri =~ /\/dbadmin/i);
	return BAN  if($uri =~ /\/phpmyadmin/i);
	return BAN  if($uri =~ /\/pma/i);
	return BAN  if($uri =~ /\/sqladmin/i);
	return BAN  if($combi =~ /acunetix/i);
	return BAN  if($uri =~ /j_security_check/i);
	return BAN  if($r->uri =~ /\.swp$/i);
	return BAN  if($r->uri =~ /\.bak$/i);
	return BAN  if($r->uri =~ /\.old$/i);
	return BAN  if($r->uri =~ /\.sql$/i);
	return BAN  if($r->uri =~ /\.inc$/i);
	return BAN  if($r->uri =~ /\.dump$/i);
	return DROP if($r->uri =~ /\.gz$/i);
	return DROP if($r->uri =~ /\.tar$/i);
	return BAN  if($r->uri =~ /~$/i);
	return BAN  if($uri =~ /\.svn\//i);
	return BAN  if($uri =~ /phpinfo/i);
	return BAN  if($uri =~ /acunetix/i);
	return BAN  if($uri =~ /htaccess/i);
	return BAN  if($uri =~ /htpasswd/i);
	return BAN  if($uri =~ /nessus/i);
	return BAN  if($uri =~ /netsparker/i);
	return BAN  if($uri =~ /id_[rd]sa/i);
	return DENY if($r->uri =~ /(^|\/)\./);
	return BAN  if($r->uri =~ /\|~\.aspx/);
	return PASS;
}


